I would like to create self-signed certificates on the fly with arbitrary start- and end-dates, including end-dates in the past. I would prefer to use standard tools, e.g., OpenSSL, but anything that gets the job done would be great.
The Stack Overflow question How to generate openssl certificate with expiry less than one day? asks a similar question, but I want my certificate to be self-signed.
In case you were wondering, the certificates are needed for automated testing.
Best Answer
You have two ways of creating certificates in the past. Either faking the time (1)(2), or defining the time interval when signing the certificate (3).
1) Firstly, about faking the time: to make one program think it is in a different date from the system, have a look at
libfaketime
andfaketime
To install it in Debian:
You would then use
faketime
before theopenssl
command.For examples of use:
From
man faketime
:So for instance, in your case, you can very well define a date of 2008, and create then a certificate with the validity of 2 years up to 2010.
As a side note, this utility can be used in several Unix versions, including MacOS, as an wrapper to any kind of programs (not exclusive to the command line).
As a clarification, only the binaries loaded with this method (and their children) have their time changed, and the fake time does not affect the current time of the rest of the system.
2) As @Wyzard states, you also have the
datefudge
package which is very similar in use tofaketime
.As differences,
datefudge
does not influencefstat
(i.e. does not change file time creation). It also has it´s own library, datefudge.so, that it loads using LD_PRELOAD.It also has a
-s
static time
where the time referenced is always returned despite how many extra seconds have passed.3) Besides faking the time, and even more simply, you can also define the starting point and ending point of validity of the certificate when signing the certificate in OpenSSL.
The misconception of the question you link to in your question, is that certificate validity is not defined at request time (at the CSR request), but when signing it.
When using
openssl ca
to create the self-signed certificate, add the options-startdate
and-enddate
.The date format in those two options, according to openssl sources at
openssl/crypto/x509/x509_vfy.c
, is ASN1_TIME aka ASN1UTCTime: the format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ.Quoting
openssl/crypto/x509/x509_vfy.c
:And from the CHANGE log (2038 bug?) - This change log is just as an additional footnote, as it only concerns those using directly the API.
So, creating a certificate from the 1st of January 2008 to the 1st of January of 2010, can be done as:
or
-startdate
and-enddate
do appear in theopenssl
sources and CHANGE log; as @guntbert noted, while they do not appear in the mainman openssl
page, they also appear inman ca
:Quoting
openssl/CHANGE
:P.S. As for the chosen answer of the question you reference from StackExchange: it is generally a bad idea to change the system time, especially in production systems; and with the methods in this answer you do not need root privileges when using them.